Sramana Mitra: Give me a couple of examples of use cases where major problems can be solved by automation.
Chris Petersen: I’ll give you a more detailed example around phishing. Phishing is something that all organizations contend with. Social engineering, which is another form of phishing, is still one of the most common ways in which a bad actor is able to compromise a target.
Phishing is a very effective way of doing that. A user gets a cleverly-crafted email. He/she clicks on a link that takes them to a site that leaves their browsers vulnerable. They eventually get malware downloaded onto their laptops. A remote access tool is installed that provides the threat actor persistent access that they can come back to later.
Then a lot also install a keystroke logger. That keystroke logger will record everything that the user types including their password. They might wait a few days, log back in, and now they have the password. They can then begin to move laterally, trying to connect to other systems and servers.
From an automation perspective, we can do behavioral profiling that will take advantage of machine learning to understand how that user account behaves. How does that laptop typically behave?
Eventually, when that user account or laptop gets into different systems, there’s going to be a shift in behavior. That threat actor is going to try and do things that that user doesn’t typically do, and our analytics is going to pick that up. That will generate an alarm. That’s when the next aspect of automation begins to kick in.
We’re going to automate some of the workflows around looking at some of the information around that alarm. Maybe there’s a certain subject line that was used in the email. That can help the analyst conclusively determine that this was a phishing attack and the system is actually compromised. That’s when the next level of automation would kick in.
It’s when the user can do things such as automating looking for other emails. The automation can then scan for other emails and delete those emails out of the system. It can also automatically connect into the directory services or some other account management software and disable the compromised user account.
That automation allows us to detect, automate workflow, and automate response. In phishing, what we’ve seen is, what used to take days or weeks of work can now be condensed to minutes and hours.
Sramana Mitra: In this space, where are the gaps? What are the open problems that warrant entrepreneurship?
Chris Petersen: There are still a number of gaps. Detecting threats is very hard. I’ve been doing this now for almost 25 years. It’s a game of cat and mouse. The technology evolves, and so do the threat actors. They find new ways to circumvent the technologies we put in place to block them or detect them.
There continue to be lots of opportunities for developing better and more advanced methods of detecting threats that are getting increasingly crafty while evading preventive and detection systems. The area of high innovation there is how to leverage advanced artificial intelligence to more accurately identify what is a real threat and a real compromise.
There’s still a decade left of innovation ahead when it comes to precision and high accuracy threat detection that can look across a global enterprise network that spans 20 nations, and with precision identify threats and compromise where the false positive rate is very low.
Today, with the state of the threat environment and where we are from a technology perspective, there are still too many false positives. That leaves security teams to have to look at too much data that ultimately takes their time but aren’t actually risks and threats. Advancement in analytics towards threat detection is a big innovation.
Sramana Mitra: Great. Thank you for your time.
This segment is part 2 in the series : Thought Leaders in Cyber Security: LogRhythm CTO and Chief Product Officer Chris Petersen